Latest Updates

The other day I gave a talk at the Portland WordPress Developers Meetup about authentication in enterprise and web environments and how WordPress fits into the Identity Management alphabet soup. At the end, I showed off our WordPress Plugin, which can be used for easy and secure login to WordPress …

Watch Isaac’s talk about common mistakes that developers make in Android cryptography based on our article about the same topic. About: If you do a web search for “encrypting Strings in Android”, you’ll find a lot of example code, and they all look pretty similar. They definitely input a String …

Update: Here’s the video of Isaac’s talk on this topic and the Github repo for the AES library. You can also check out TozStore, Tozny’s multi-language end-to-end encryption platform. Our technology is designed to make integration of encryption quick and easy. You can sign up for free and try it out! …

This article is part of our Security Guides series. Chrome and other browsers are phasing out SSL certificates that are implemented using the weak SHA-1 hash. As a result, SSL certificate authorities, like GoDaddy are also phasing out SHA-1 in favor of SHA-2. GoDaddy is one of the largest providers, …

The Associated Press has done some important research into the cause of cybersecurity incidents in the federal government. Unfortunately, they come to the wrong conclusion. They document the huge rise in security incidents, and then add: And [federal] employees are to blame for at least half of the problems. Specifically, not …

Take a look at the primary features of the Tozny login and out of band transaction verification system. Key points: Tozny is both easier to use and more secure than passwords. Tozny defeats advanced malware like man in the browser attacks. Tozny adds an extra layer of defense against CSRF.

It seems like such a simple question, “Am I vulnerable to Shellshock,” but it’s surprisingly complicated. Lots of Internet forums suggest pasting some magic code into your command line. If the code outputs “Vulnerable” then you need to upgrade. Unfortunately, it’s not that easy.

A successful man in the browser attack is devastating: The attacker gets full control over your account and you have no idea it is happening. In this post, we discuss the attack, its impact, and why typical mitigations fall short. Finally, we toot our own horn a bit and show …

Insider attacks are particularly difficult to defend against. Insiders have internal knowledge of the network, and often know a system’s vulnerabilities. Even if they don’t violate security policies, they can perform authorized actions in a malicious way. I like Common Sense Guide to Mitigating Insider Threats. It’s light reading, if …